add tpm2 luks decryption instructions for fedora kinoite

2025-03-12 16:41:19 -04:00
parent ecf66a5fb2
commit 34fad5846f
1 changed files with 51 additions and 15 deletions
--- a/infrastructure/graduated/fedora/fedora-kinoite.md
+++ b/infrastructure/graduated/fedora/fedora-kinoite.md
@@ -1,16 +1,57 @@
 # Fedora Kinoite

 - [Fedora Kinoite](#fedora-kinoite)
+  - [TPM2 Luks Decryption](#tpm2-luks-decryption)
  - [Podman](#podman)
    - [Autostarting services with quadlets](#autostarting-services-with-quadlets)
  - [rpm-ostree](#rpm-ostree)
    - [Git, Vim, etc](#git-vim-etc)
    - [Libvirt, Qemu, KVM](#libvirt-qemu-kvm)
-    - [Docker Compose and Docker Buildkit with Rootless Podman](#docker-compose-and-docker-buildkit-with-rootless-podman)
  - [Network](#network)
    - [Hostname](#hostname)
    - [VLAN Setup with nmcli](#vlan-setup-with-nmcli)

+## TPM2 Luks Decryption
+
+Mostly taken from here:
+<https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95>
+
+PCR reference for `--tpm2-pcrs` args
+
+```text
+0: System firmware executable
+2: Kernel
+4: Bootloader
+7: Secure boot state
+8: Cmdline
+9: Initrd
+```
+
+Basic commands:
+
+```bash
+# Show tpm2 devices
+systemd-cryptenroll --tpm2-device=list
+# Show crypto luks block devices
+blkid -t TYPE=crypto_LUKS
+
+# Enroll the tpm2 device with systemd-cryptenroll
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3
+
+# Reenroll
+systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9
+
+# Append to command line args
+rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto
+```
+
+When you update you'll need to reenroll. Add this to your ~/.bashrc
+
+```bash
+# LUKS TPM2 commands
+alias tpm2-reenroll='sudo systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9'
+```
+
 ## Podman

 Since you'll be using podman for most container-based services, you'll want to set the
@@ -52,6 +93,15 @@ systemctl --user start ollama

 ## rpm-ostree

+Note: if you don't need them, remove extra repos
+
+I removed:
+
+1. rpmfusion-nonfree-steam.repo
+2. rpmfusion-nonfree-nvidia-driver.repo
+3. google-chrome.repo
+4. _copr\:copr.fedorainfracloud.org\:phracek\:PyCharm.repo
+
 ```bash
 # Search for available packages
 rpm-ostree search git
@@ -81,20 +131,6 @@ rpm-ostree install virt-manager libvirt
 systemctl enable --now libvirtd
 ```

-### Docker Compose and Docker Buildkit with Rootless Podman
-
-Allows you to use podman with full docker-compose compatibility.
-
-<https://emersion.fr/blog/2025/using-podman-compose-and-buildkit/>
-
-```bash
-rpm-ostree install docker-compose docker-buildx
-reboot
-systemctl --user enable --now podman.socket
-docker context create podman --docker host=unix://$XDG_RUNTIME_DIR/podman/podman.sock
-docker context use podman
-```
-
 ## Network

 ### Hostname